struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Paransky <ap...@standardset.com>
Subject RE: The best practices regarding secure JSP and Action classes
Date Mon, 14 Oct 2002 15:02:42 GMT
Just use <security-constraint> in your web.xml deployment descriptor.  For
example:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>
        Private resources
      </web-resource-name>
      <url-pattern>
        /private
      </url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>member</role-name>
    </auth-constraint>
    <user-data-constraint>
      <transport-guarantee>
        NONE
      </transport-guarantee>
    </user-data-constraint>
  </security-constraint>

The above will make all pages/actions/anything in app/private require a
logon.  You will also have to tell web.xml what type of logon to use.

-AP_
http://www.myprofiles.com/member/profile/apara_personal

-----Original Message-----
From: Hoang, Hai [mailto:Hai.Hoang@coair.com]
Sent: Monday, October 14, 2002 7:44 AM
To: 'Struts Users Mailing List'
Subject: RE: The best practices regarding secure JSP and Action classes


I already have my own database driven security model.  Once a user logon I
already know his role.  But the problem is that how do I make this security
model to work with the container-managed model so I don't have to check
every on single page.

Hai



-----Original Message-----
From: Eddie Bush [mailto:ekbush@swbell.net]
Sent: Monday, October 14, 2002 9:38 AM
To: Struts Users Mailing List
Subject: Re: The best practices regarding secure JSP and Action classes

- setup container-managed authentication
    - as a server-configured service
    - as a filter (see securityfilter.sourceforge.net)
    - see your servlet container user guide for setup of
non-filter-based solution
- in your web.xml
    - declare the roles you will use
    - declare the URLs etc
    - see the servlet specification for how to configure this

The web.xml config applies to the non-filter-based approach I *think*.
 See the filter's site for more information on how to configure that
particular one.

If you push your authentication/authorization up to the server level,
you don't have to have "nasty hacks" in all of your protected JSPs.
 Just make the auth work and specify the mappings it holds true for.
 Other good references on this topic include Java Servlet Programming
(Jason Hunter - O'Reilly) and Java Server Pages (Hans Bergsten -
O'Reilly).  There are probably other resources available that outline
how to configure your deployment descriptor (web.xml) for this.

Hoang, Hai wrote:

>I want to secure the admin portion of my application from unauthorized
>users.  What is the best way to achieve this task?  Should I include a
>"CheckUser" tag on every jsp pages and call a  "CheckUser" function on
every
>single action class?  I don't want the user to just key in the direct url
of
>the jsp page or calling the action class directly.  But doing this, I've to
>go to the database twice on every action.
>
>Do you know a better way?
>
--
Eddie Bush




--
To unsubscribe, e-mail:
<mailto:struts-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:struts-user-help@jakarta.apache.org>


_________________________________________________________________________
Introducing the all new and improved continental.com.  With a totally new
personalized design, it's the best place to go. Before you go.

Continental Airlines. Work Hard. Fly Right.

http://www.continental.com



--
To unsubscribe, e-mail:   <mailto:struts-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:struts-user-help@jakarta.apache.org>


Mime
View raw message